github-mirror/framework
2
0
Fork 0
mirror of https://github.com/flarum/framework.git synced 2024-11-29 04:33:47 +08:00
Code Issues Actions 20 Packages Projects Releases Wiki Activity

Bump ICU MessageFormat (#3122)

Browse Source 
This uses `Intl.PluralRules` for plural rules, and fixes a security vulnerability allowing JS injection through translation arguments.
This commit is contained in:
Alexander Skvortsov 2021-10-27 16:41:49 -04:00 committed by GitHub
parent 33cd846b72
commit 902fa06c64
3 changed files with 22 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
framework/core/js/package-lock.json generated
View File

@ -6,8 +6,8 @@
"": { "": {
"name": "@flarum/core", "name": "@flarum/core",
"dependencies": { "dependencies": {
"@askvortsov/rich-icu-message-formatter": "^0.1.0", "@askvortsov/rich-icu-message-formatter": "^0.2.1",
"@ultraq/icu-message-formatter": "^0.10.1", "@ultraq/icu-message-formatter": "^0.12.0",
"bootstrap": "^3.4.1", "bootstrap": "^3.4.1",
"clsx": "^1.1.1", "clsx": "^1.1.1",
"color-thief-browser": "^2.0.2", "color-thief-browser": "^2.0.2",
@ -40,13 +40,14 @@
} }
}, },
"node_modules/@askvortsov/rich-icu-message-formatter": { "node_modules/@askvortsov/rich-icu-message-formatter": {
"version": "0.1.0", "version": "0.2.1",
"resolved": "https://registry.npmjs.org/@askvortsov/rich-icu-message-formatter/-/rich-icu-message-formatter-0.1.0.tgz", "resolved": "https://registry.npmjs.org/@askvortsov/rich-icu-message-formatter/-/rich-icu-message-formatter-0.2.1.tgz",
"integrity": "sha512-ZSHJZRqtopZljPcoCoyA4K+ORB/CpZKy2yJrZDsRdMB9MaQIKSCMx97WsHMU+VpW4nr8rUxfkE0eqvUlCBu9yQ==", "integrity": "sha512-Gw+FBqsFCIu2+A79gZ6XV68DtAdEj37uRHUDTR9kqLDdWgSK9bVbOWkIl5K1DUnU1ZytffNagVmRF4T1FM11lA==",
"license": "MIT",
"dependencies": { "dependencies": {
"@babel/runtime": "^7.11.2", "@babel/runtime": "^7.11.2",
"@ultraq/array-utils": "^2.1.0", "@ultraq/array-utils": "^2.1.0",
"@ultraq/icu-message-formatter": "^0.10.0" "@ultraq/icu-message-formatter": "^0.12.0"
}, },
"engines": { "engines": {
"node": ">=10" "node": ">=10"
@ -1846,16 +1847,17 @@
} }
}, },
"node_modules/@ultraq/icu-message-formatter": { "node_modules/@ultraq/icu-message-formatter": {
"version": "0.10.1", "version": "0.12.0",
"resolved": "https://registry.npmjs.org/@ultraq/icu-message-formatter/-/icu-message-formatter-0.10.1.tgz", "resolved": "https://registry.npmjs.org/@ultraq/icu-message-formatter/-/icu-message-formatter-0.12.0.tgz",
"integrity": "sha512-UxhC0wQvDmeQSZ/4RtxO62czV8fjV/T6A0JU9zjGS0eK+ho0WeTixnEUJ0vNikFBqUkaopl+HDjrsvTDXm5W+A==", "integrity": "sha512-ebd/ZyC1lCVPPrX3AQ9h77NDK4d1nor0Grmv43e97+omWvJB29lbuT+9yM3sq4Ri1QKwTvKG1BUhXBz0oAAR2w==",
"license": "Apache-2.0",
"dependencies": { "dependencies": {
"@babel/runtime": "^7.11.2", "@babel/runtime": "^7.11.2",
"@ultraq/array-utils": "^2.1.0", "@ultraq/array-utils": "^2.1.0",
"@ultraq/function-utils": "^0.3.0" "@ultraq/function-utils": "^0.3.0"
}, },
"engines": { "engines": {
"node": ">=10" "node": ">=12"
} }
}, },
"node_modules/@webassemblyjs/ast": { "node_modules/@webassemblyjs/ast": {
@ -7383,13 +7385,13 @@
}, },
"dependencies": { "dependencies": {
"@askvortsov/rich-icu-message-formatter": { "@askvortsov/rich-icu-message-formatter": {
"version": "0.1.0", "version": "0.2.1",
"resolved": "https://registry.npmjs.org/@askvortsov/rich-icu-message-formatter/-/rich-icu-message-formatter-0.1.0.tgz", "resolved": "https://registry.npmjs.org/@askvortsov/rich-icu-message-formatter/-/rich-icu-message-formatter-0.2.1.tgz",
"integrity": "sha512-ZSHJZRqtopZljPcoCoyA4K+ORB/CpZKy2yJrZDsRdMB9MaQIKSCMx97WsHMU+VpW4nr8rUxfkE0eqvUlCBu9yQ==", "integrity": "sha512-Gw+FBqsFCIu2+A79gZ6XV68DtAdEj37uRHUDTR9kqLDdWgSK9bVbOWkIl5K1DUnU1ZytffNagVmRF4T1FM11lA==",
"requires": { "requires": {
"@babel/runtime": "^7.11.2", "@babel/runtime": "^7.11.2",
"@ultraq/array-utils": "^2.1.0", "@ultraq/array-utils": "^2.1.0",
"@ultraq/icu-message-formatter": "^0.10.0" "@ultraq/icu-message-formatter": "^0.12.0"
} }
}, },
"@babel/code-frame": { "@babel/code-frame": {
@ -8645,9 +8647,9 @@
"integrity": "sha512-AwFCYorRn0GE34hfgxaCmfnReHqcwWE6QwWPQf/1Zj7k3Zi0FATSJhbtDA+6ayV8p6AnhEntntXaMWMkK17tEQ==" "integrity": "sha512-AwFCYorRn0GE34hfgxaCmfnReHqcwWE6QwWPQf/1Zj7k3Zi0FATSJhbtDA+6ayV8p6AnhEntntXaMWMkK17tEQ=="
}, },
"@ultraq/icu-message-formatter": { "@ultraq/icu-message-formatter": {
"version": "0.10.1", "version": "0.12.0",
"resolved": "https://registry.npmjs.org/@ultraq/icu-message-formatter/-/icu-message-formatter-0.10.1.tgz", "resolved": "https://registry.npmjs.org/@ultraq/icu-message-formatter/-/icu-message-formatter-0.12.0.tgz",
"integrity": "sha512-UxhC0wQvDmeQSZ/4RtxO62czV8fjV/T6A0JU9zjGS0eK+ho0WeTixnEUJ0vNikFBqUkaopl+HDjrsvTDXm5W+A==", "integrity": "sha512-ebd/ZyC1lCVPPrX3AQ9h77NDK4d1nor0Grmv43e97+omWvJB29lbuT+9yM3sq4Ri1QKwTvKG1BUhXBz0oAAR2w==",
"requires": { "requires": {
"@babel/runtime": "^7.11.2", "@babel/runtime": "^7.11.2",
"@ultraq/array-utils": "^2.1.0", "@ultraq/array-utils": "^2.1.0",

4
framework/core/js/package.json
View File

@ -3,8 +3,8 @@
"name": "@flarum/core", "name": "@flarum/core",
"prettier": "@flarum/prettier-config", "prettier": "@flarum/prettier-config",
"dependencies": { "dependencies": {
"@askvortsov/rich-icu-message-formatter": "^0.1.0", "@askvortsov/rich-icu-message-formatter": "^0.2.1",
"@ultraq/icu-message-formatter": "^0.10.1", "@ultraq/icu-message-formatter": "^0.12.0",
"bootstrap": "^3.4.1", "bootstrap": "^3.4.1",
"clsx": "^1.1.1", "clsx": "^1.1.1",
"color-thief-browser": "^2.0.2", "color-thief-browser": "^2.0.2",

11
framework/core/js/src/common/Translator.tsx
View File

@ -55,16 +55,7 @@ export default class Translator {
if (!parameters.username) parameters.username = username(user); if (!parameters.username) parameters.username = username(user);
} }
const escapedParameters: TranslatorParameters = {}; return parameters;
for (const param in parameters) {
const paramValue = parameters[param];
if (typeof paramValue === 'string') escapedParameters[param] = <>{parameters[param]}</>;
else escapedParameters[param] = parameters[param];
}
return escapedParameters;
} }
trans(id: string, parameters: TranslatorParameters = {}) { trans(id: string, parameters: TranslatorParameters = {}) {